Ciphers Supported by the TLS Connector

OpenSSL (which is used by the TLS connector) supports over 135 ciphers that can potentially be used with certificates.

Note: On Windows, Uniface provides the OpenSSL executable in the \common\bin folder of the Uniface installation. On Linux, it is usually pre-installed. Alternatively, you can obtain it from one of the sites suggested by the OpenSSL Wiki (https://wiki.openssl.org/index.php/Binaries). For more information, consult the OpenSSL documentation (http://www.openssl.org/).

To get the list of supported ciphers, use the following command:

openssl ciphers -v

Usable Ciphers

During the initial TLS handshake, the client and the server negotiate which cipher to use to encrypt the communication. By default, the most secure cipher supported by both peers is used, but if you supply your own list, the first common cipher in the list is used.

In practice, not all supported ciphers may be available to the TLS connector when establishing a connection:

  • By default, RC4 and all anonymous ciphers are disabled.
  • The TLS connector currently supports only RSA algorithms for key encryption and authentication. When RSA is used to encrypt a private key, only ciphers that use RSA as the authentication algorithm can be used.
  • The TLS connector does not currently support ciphers that require extra parameter files to be used, such as DSA and Diffie-Hellman ciphers.

Cipher Names

Cipher names reflect the algorithms they support. For example, the cipher name ECDHE-RSA-AES256-GCM-SHA384 indicates that it supports the following algorithms:

  • ECDHE (used for key exchange)
  • RSA (used for authentication)
  • AES256-GCM (used for data encryption)
  • SHA384 (used for message authentication and integrity verification)

In some cipher names, one or more algorithms may be omitted. Usually, the key exchange algorithm in these ciphers is RSA, but you can find out the details using the OpenSSL ciphers command with the -v flag. For example, the following command provides information about a specific cipher:

openssl ciphers -v DES-CBC3-SHA

The resulting output lists the various algorithms used by the cipher:

DES-CBC3-SHA		SSLv3 Kx=RSA		Au=RSA		Enc=3DES(168)		Mac=SHA1

where:

  • Kx (Key Exchange algorithm) is RSA
  • Au (Authentication algorithm) is RSA
  • Enc (Encryption algorithm) for sending data is 168-bit 3DES
  • Mac (Message authentication code) is SHA1

Configuring Encryption Ciphers

The algorithm used to create the private key affects the ciphers that the TLS connector can use, but you can further influence the available ciphers using the connector option cipher_list. It enables you to limit the list to a particular group of ciphers, such as high- or medium- security ciphers, or to specify only a few selected ciphers, and their preferred order.